It's been a week since engineers approved a new DNS encryption standard and everyone is still yelling
DoH or DoT? Punch-up time!
Last week, amid some acrimony, the Internet Engineering Task Force (IETF) formally adopted a new encryption standard for the internet naming systems.
But far from the approval of RFC 8484, better known as DNS-over-HTTPS or DoH, putting the issue to bed, it has stirred up a hornet's nest of upset among internet engineers that shows no signs of calming down.
Indeed, those for the DoH standard and those set against it appear to have become increasingly entrenched in their views, with disagreement spilling over into conferences and the tech press.
Perhaps the biggest opponent – or at least, the most well known – Paul Vixie has been running a steady stream of angry commentary on the issue, both on Twitter and at the recent World West Hacking Fest conference in South Dakota.
Vixie is one of the original designers of the DNS and is very annoyed at what he sees as an unnecessary breaking of the DNS' core design and an IETF that has lost its way. On Tuesday, he repeatedly dismissed supporters' arguments, vowed never to allow the standard on any networks he runs, and declared full-blown war.
Meanwhile, other high-profile internet engineers, including chief scientist at regional internet registry APNIC, Geoff Houston, have been arguing that the new protocol is not only a good thing, taken overall, but could actually open up new opportunities and push the internet in a completely different, positive direction.
The dispute has drawn in respected engineers from across the globe – many of them arguing in public over DoH and in many cases, their preferred alternative, DoT – DNS over TLS.
Who gets to control traffic?
In one Twitter spat on Monday, the Internet Society's chief internet technology officer and a key voice at the IETF, disagreed with Vixie about who has the right to control internet traffic and where it goes – the user/host or the network operator - sparking a back-and-forth that pulled in other engineers, without resolution.
At the normally relaxed and detail-heavy DNS Operations, Analysis, and Research Center (DNS-OARC) meeting – held twice a year, this time in Amsterdam – two sessions centered on DoH and sparked a level of, shall we say, healthy debate that one commenter referred to it as "DoHysteria."
So what is going on? And why are views getting more entrenched? It's important to remember that this is the internet and its domain name system – the most insanely cobbled-together network of servers and protocols the world has ever seen.
The internet shouldn't work but does, thanks in large part to people dealing with precise imprecision. If there is one group of people that can handle ambiguity with the parameters of their job it is internet engineers.
The reason for the dispute is, at the heart of it, deeply held beliefs about what the internet is and should be.
DoH or DNS-over-HTTPS is a way of encrypted DNS traffic to make it hard for third parties to see where people are coming from and where they are going to online. Fans of the protocol point out that because the standard uses the same port as ordinary HTTPS traffic, it is extremely difficult to track people's movements.
And for that reason, it is a great tool for privacy: something that internet users that live in authoritarian or tightly controlled countries put significant value on. There are countless examples of the authorities using internet traffic to track dissidents, not all of which end up very happily.
To that end, one group of internet engineers believe that DoH does a terrific job in defending the internet's core nature: as a global network where information can be shared freely and all of mankind can benefit from one another's knowledge and insights.
But that exact same privacy benefit is also driving those deeply opposed to DoH. By shoveling it all through the same port, DoH means those that actually run networks are unable to see what is going on in their network and are unable to delve into traffic and remove the parts of it they don't like.
In the hands of an authoritarian government that level of control can be used to identify people but in the hands of the majority of network administrators it is a vital tool to remove malicious content and track and remove other people, such as hackers.
This anti-DoH group tends to prefer a different standard designed to achieve the same goal of encrypting DNS traffic: DNS over TLS (DoT). DoT uses two very common protocols to protect other internet users while retaining the basic design principles of the domain name system by allowing network operators to see into what is going on over their systems.
To this group, DoH represents a dangerous detour that could create all sorts of security problems in the future – and they are confident of that because the design of DoH goes against the principles that have kept the internet functioning and expanding at an extraordinary rate for decades.
The problem is that both sides are right. And that standards exist and have been approved for both approaches, which network administrators are free to implement while knowing – in theory at least – that what they will work across the internet.
What isn't being said – at least not out loud and not yet – is that internet standards live and die on their broader acceptance among engineers.
There are plenty of standards that have been approved and simply never took off. And there are others that everyone agrees should be used but are met with resignation or mild despair – the most famous being IPv6 that, thanks to not being backwards compatible is still struggling on despite its enormous importance.
The path to an internet standard gaining near universal acceptance – and being implemented – is a strange and unpredictable one. But one thing you can be fairly sure of is that internet engineers don't want to use two standards when they can use one. Which means that it is very likely that either DoH or DoT will become dominant and the other will slow fade away.
Which one that is will depend very much on how it is perceived among the broad group of global internet engineers. Hence the battle for hearts and minds.
There is another element of course. It's fair to say that the majority of the DoH supporters are comfortable with, or at least willing to accept, the fact that the internet, for all its global glory, is increasingly being overseen by a small number of very large companies. Think Google. Mozilla. CloudFlare in this case.
DoH inherently acknowledges that reality and may even reinforce it. The fact that Mozilla has said it will implement DoH means that it is moving toward broad acceptance and may hit a tipping point soon. In that sense, all eyes are on Google to see what it does.
On the other hand, DoT continues to represent the internet as it should be – at least in the eyes of those that originally designed it. It allows for big beasts but doesn't benefit them; it puts everyone on an equal plain and makes the internet far less "manageable."
So which are you? Someone ready to accept that the internet is dominated by a small number of big players in order to improve everyone's privacy; or someone who thinks that the internet has to be retained as a network that can go any direction it needs to and must be able to defy anyone else's efforts to control it?
That philosophical question is why internet engineers are so mad, and will likely continue to be for some time. ®
Sponsored: Becoming a Pragmatic Security Leader